Important notes

Any Identity Provider (IdP) which supports SAML2 should in theory work with Shotgun. We have successfully used:

ADFS,

PingIdentity,

Okta,

OneLogin.

The iOS Review App does not support SSO login at this time.

Using SSO on your site will have the following effects:

If you use RV in your studio, you will need to update to version of RV 7.2.2 or later.

If you use the Shotgun Desktop or the Toolkit, you will need to update to version 1.5.0 or later.

If you use the shotgun_api3 python module, you will no longer be able to use the user_login/user_password pair method to create a new sessions.

As an Admin, you can access the single sign-on (SSO) configuration under Site Preferences > Authentication. This option will only be present after a Shotgun Support person makes it available for your site. Since this feature is till in Beta, we have an on-boarding process with our clients, which usually start with a meeting with your Shotgun admin and SSO admin.

The first time you log in after enabling SSO, you will be prompted to use your organization’s username and password.

SSO works with both Shotgun and RV.

If SSO is enabled, RV users will see an error message if they try to sign in without SSO.

Using SSO

As a user, once you log in via SSO, your Shotgun site should look the same. However, your username may be different, depending on your organization’s login.

As an Admin, you will notice the following changes:

You will no longer be able to reset user passwords. This will be controlled by your studio’s IT department.

You will no longer be able to test Shotgun under different users, only under your own account, unless your organization issues you additional user names.

Users are created when logging in. If Shotgun doesn’t have an existing user with that login ID, it will be created. Note that renaming an existing user may result in creating duplicate users.

If you change a user’s first name, last name, full name, or email, those fields will be reset to the original when the user logs in. This is because that information comes from your organization’s IT department.

Your organization’s IT department must grant both new and existing users access to your site.

You can invite new users and create new users for your site. Shotgun will send them a welcome email and they can use their SSO account to sign in.

SSO provides the following abilities to your Shotgun site:

Centralize permission management,

Grant and revoke Shotgun access from the SSO system, and

Synchronize user information, such as name and email, between the SSO system and Shotgun.

Public certificate: The certificate will be used to encrypt and decrypt your requests.

SAML 2.0 endpoint (HTTPS): The endpoint which will be contacted to validate your credentials. For example, "https://single.login.url".

Identity provider issuer: The ID your service will use.

Test the SAML authentication by clicking on the test button.Accept new tabs to verify if you can log in.

If the test succeeds, set "SAML Authentication" as your authentication method.

Other options

The YAML configuration will be covered at the end of this article.

Enabling and disabling SSO

Admins can enable and disable SSO. You will receive an email each time you enable or disable SSO.

If you disable SSO, you can use your old Shotgun username and password to log in.

If you did not have a Shotgun account before SSO was enabled, you will receive an email that allows you to reset your password.

SAML2 Configuration

Contract

The Active Directory SAML2 response must provide five attributes:

Name

Type

Presence

Details

login_id

string

Mandatory

The ID the user will have in Shotgun. This must be unique within Shotgun.

firstname

string

Mandatory

The user's first name.

lastname

string

Mandatory

The user's last name.

email

string

Mandatory

The user's email address.

access

string: true/false

Mandatory

If 'true', the user will have access to Shotgun.

groups

string

Optional

If it is not present, or empty, the user's permission group will not be modified from its current value. For a new user, the default user permission group will be used, as defined in the Site Preferences.

If it is present, it should correspond to the name of one of the permission groups defined in Shotgun. If the name does not match, the user will be granted the default user permission group.

ex: "Admin"

Session duration is based on the SAML response:

If saml:AuthnStatement contains a field SessionNotOnOrAfter, that field will indicate a session's duration.

Otherwise the saml:Conditions field NotOnOrAfter indicates a session duration.

At the end of the session, renewal may require users to enter their credentials.

Example

Below is an example of a valid SAML answer for Shotgun. (Note that relevant fields have been removed.)

Encryption and other options

Encryption

Every call from the Identity Provider (IdP) is encrypted with the certificate. By default every call to the IdP isn't encrypted. It's possible to force the encryption by providing the right options in the YAML.